Sync from SUSE:SLFO:Main bind revision 5611014a1cd1e4302729c582d8f43f18

This commit is contained in:
Adrian Schröter 2024-08-07 22:02:42 +02:00
parent 122899a65b
commit 80ae6a9e4b
7 changed files with 136 additions and 30 deletions

BIN
bind-9.18.24.tar.xz (Stored with Git LFS)

Binary file not shown.

View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEcGtsKGIOdvkdEfffUQpkKgbFLOwFAmXI5VgACgkQUQpkKgbF
LOwcMA/+Ow94NYy2xIcuN2bqLtZLnfM8tWU3NL/mUJed/iYp//Q0CI3Q6pnLmPVY
1j5trMDmNGcDHFg1RN4GKtsZmRm4icjANyuqYA7Bcqb2Qr7cezbkbpGrY6AI7ex/
wGtt5+OL+1aZgAQWZV35XVmyW7c+HJ1zQc28Ctfh7pRwOU+sit7OGvTSZZVPaY/Q
CzyOQnLE2lqpTZzcUT7m/ohHW7mYkf4GN+xRXuvD/TyAE+h3XetYdK03C8+lRY/y
r6KbucVG2hm/6L5u00s2mPMH68vTidQiT1YPMMHcWSAXZ51OcVJdLCg5CVCnXDIJ
O8PoUIs7cxvUstfdRGie7vyCwqsk9fwgH/9M+81OreizdxX7G/orKyzIfiBRxcMw
UHpuc0bMfZ3CWigo79q1FdXaSpC+RA+noBqoDJS6/eMl9M0mFOUwuNIsDbTqHoRK
tGJu9xFz4vjgisXIuXCyNEJfvzESRl/w7fAs90sumMiVrjxWw7JXAUsZfaMNQhI5
LQedp+SGtrXQLUqLJe/nHeAKSuXKvf6ftgs5/nVBmLS/KPRfnciysDd7Vuu5+lFB
FrEQ4b6m80H7W0kwRdqPEiFcGGS3Zsiyi1SAERMudsoR/JiDGVMuSRuulRwJVQw4
rpylvX+yCy7VRXQIIo4K65TAWtHLnld3Lp1fnrmHbzL9ZrE2exE=
=CnZp
-----END PGP SIGNATURE-----

BIN
bind-9.20.0.tar.xz (Stored with Git LFS) Normal file

Binary file not shown.

16
bind-9.20.0.tar.xz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEcGtsKGIOdvkdEfffUQpkKgbFLOwFAmaNMyYACgkQUQpkKgbF
LOzwnBAAgICQ7MC0rkXZxD/8X3vatdpDZ4MkUvkhOR+J4kkKWBuSqZJQvuWA8XeS
/rycCHWFeUf3V9Wj6XbCPa1l4eV5rAnSVJtHHoDoK9Tt/1H6HCd0v2b270a9q1pU
ra5Jdi/ZP76iRYAAse8FpRymMcjEk/aXnnnOsCACOY8MNvxC83mmrciPJJxloEBy
9zGPGzkvnYTM1H/qSR0GrUsGLtzKPiXbvtsRo9jI3f8kL9Tdxw9IlmH0OY14L26L
QKgaFC4Sa3J2PmELLCORtvUEDeKi9FAG9+6ua3h7ork2n/cARmOhvmZ8FFgLlB1e
7GSWCMujw+h44vNJrz1w14Bm1sN3k9PgY34i7ter/WA6ZTFDIWyhQh5tHrbjsdyv
DTlE8EvVNIg4fYMCew57yedXqzWO6bavwFlsiPyjXyG9+k9xSeQEYuuLGismF3gQ
AGXPyUUAiqhnyQd1uCf8qK5sgkH39+g5TRFl5oSvZavOAr/GtzsNhAo5Ii5ia8qL
mUVESk+Jyl4/rKJAAMwWtdl8mk8RYx1BF0XAG/mnvC81HBcuiu5aRBa5N3p8Kg+W
cUMPOjDhXn90pxEcD1MSg6nH1P0sVVOYWaQvJ1FtzKUp7JKNJus0yjgQarF5VI/l
7VSUi36dGSlDyM4EvspS/KAnItErzA8Vn40R9x8qbmzjD1Ka5LU=
=wneo
-----END PGP SIGNATURE-----

View File

@ -1,3 +1,114 @@
-------------------------------------------------------------------
Wed Jul 24 09:03:08 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>
- Update to new major version 9.20.0
For a complete list of all changes see:
* https://bind9.readthedocs.io/en/v9.20.0/notes.html
* The CHANGES file in the source RPM
Some noteworthy changes:
* Added new BuildRequires liburcu for lock free data structures.
* A new DNSSEC tool dnssec-ksr has been added to create Key
Signing Request (KSR) and Signed Key Response (SKR) files.
* /etc/bind.keys and /var/lib/named/named.root.key have been
removed as the correct defaults are pre-compiled and there is
no need to configure bind.keys manually.
* The functions that were in the libbind9 shared library have
been moved to the libisc and libisccfg libraries. The now-empty
libbind9 has been removed and is no longer installed.
* The irs_resconf module has been moved to the libdns shared
library. The now-empty libirs library has been removed and is
no longer installed.
Security Fixes:
* A malicious DNS client that sent many queries over TCP but
never read the responses could cause a server to respond slowly
or not at all for other clients. This has been fixed.
(CVE-2024-0760)
[bsc#1228255]
* It is possible to craft excessively large resource records
sets, which have the effect of slowing down database
processing. This has been addressed by adding a configurable
limit to the number of records that can be stored per name and
type in a cache or zone database. The default is 100, which can
be tuned with the new max-records-per-type option.
* It is possible to craft excessively large numbers of resource
record types for a given owner name, which has the effect of
slowing down database processing. This has been addressed by
adding a configurable limit to the number of records that can
be stored per name and type in a cache or zone database. The
default is 100, which can be tuned with the new
max-types-per-name option. (CVE-2024-1737)
[bsc#1228256]
* Validating DNS messages signed using the SIG(0) protocol (RFC
2931) could cause excessive CPU load, leading to a
denial-of-service condition. Support for SIG(0) message
validation was removed from this version of named.
(CVE-2024-1975)
[bsc#1228257]
* Due to a logic error, lookups that triggered serving stale data
and required lookups in local authoritative zone data could
have resulted in an assertion failure. This has been fixed.
* Potential data races were found in our DoH implementation,
related to HTTP/2 session object management and endpoints set
object management after reconfiguration. These issues have been
fixed.
* When looking up the NS records of parent zones as part of
looking up DS records, it was possible for named to trigger an
assertion failure if serve-stale was enabled. This has been
fixed. (CVE-2024-4076)
[bsc#1228258]
-------------------------------------------------------------------
Fri May 17 16:05:37 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>
- Update to release 9.18.27
New Features:
* A new option signatures-jitter has been added to dnssec-policy
to allow signature expirations to be spread out over a period
of time.
Feature Changes:
* DNSSEC signatures that are not valid because the current time
falls outside the signature inception and expiration dates are
skipped instead of causing an immediate validation failure.
-------------------------------------------------------------------
Sun Apr 21 21:17:19 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>
- Update to release 9.18.26
New Features:
* The statistics channel now includes counters that indicate the
number of currently connected TCP IPv4/IPv6 clients.
* Added RESOLVER.ARPA to the built in empty zones.
Bug Fixes:
* Changes to listen-on statements were ignored on reconfiguration
unless the port or interface address was changed, making it
impossible to change a related listener transport type. That
issue has been fixed.
* A bug in the keymgr code unintentionally slowed down some
DNSSEC key rollovers. This has been fixed.
* Some ISO 8601 durations were accepted erroneously, leading to
shorter durations than expected. This has been fixed.
-------------------------------------------------------------------
Wed Mar 20 13:39:16 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>
- Update to release 9.18.25
Bug Fixes:
* A regression in cache-cleaning code enabled memory use to grow
significantly more quickly than before, until the configured
max-cache-size limit was reached. This has been fixed.
* Using rndc flush inadvertently caused cache cleaning to become
less effective. This could ultimately lead to the configured
max-cache-size limit being exceeded and has now been fixed.
* The logic for cleaning up expired cached DNS records was
tweaked to be more aggressive. This change helps with enforcing
max-cache-ttl and max-ncache-ttl in a timely manner. [GL #4591]
* It was possible to trigger a use-after-free assertion when the
overmem cache cleaning was initiated. This has been fixed.
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Feb 13 15:15:21 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com> Tue Feb 13 15:15:21 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>

View File

@ -56,7 +56,7 @@
%define _fillupdir %{_localstatedir}/adm/fillup-templates %define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif %endif
Name: bind Name: bind
Version: 9.18.24 Version: 9.20.0
Release: 0 Release: 0
Summary: Domain Name System (DNS) Server (named) Summary: Domain Name System (DNS) Server (named)
License: MPL-2.0 License: MPL-2.0
@ -92,6 +92,7 @@ BuildRequires: pkgconfig(krb5)
BuildRequires: pkgconfig(libidn2) BuildRequires: pkgconfig(libidn2)
BuildRequires: pkgconfig(libmaxminddb) BuildRequires: pkgconfig(libmaxminddb)
BuildRequires: pkgconfig(libnghttp2) BuildRequires: pkgconfig(libnghttp2)
BuildRequires: pkgconfig(liburcu)
BuildRequires: pkgconfig(libuv) BuildRequires: pkgconfig(libuv)
BuildRequires: pkgconfig(libxml-2.0) BuildRequires: pkgconfig(libxml-2.0)
Requires: %{name}-utils Requires: %{name}-utils
@ -375,7 +376,6 @@ mv vendor-files/config/rndc-access.conf %{buildroot}/%{_sysconfdir}/named.d
install -D -m 0644 %{SOURCE70} %{buildroot}%{_prefix}/lib/tmpfiles.d/bind.conf install -D -m 0644 %{SOURCE70} %{buildroot}%{_prefix}/lib/tmpfiles.d/bind.conf
install -D -m 0644 %{_sourcedir}/named.root %{buildroot}%{_datadir}/factory%{_localstatedir}/lib/named/root.hint install -D -m 0644 %{_sourcedir}/named.root %{buildroot}%{_datadir}/factory%{_localstatedir}/lib/named/root.hint
install -m 0644 vendor-files/config/{127.0.0,localhost}.zone %{buildroot}%{_datadir}/factory%{_localstatedir}/lib/named install -m 0644 vendor-files/config/{127.0.0,localhost}.zone %{buildroot}%{_datadir}/factory%{_localstatedir}/lib/named
install -m 0644 bind.keys %{buildroot}%{_datadir}/factory%{_localstatedir}/lib/named/named.root.key
install -d -m 0755 %{buildroot}/%{_unitdir}/named.service.d install -d -m 0755 %{buildroot}/%{_unitdir}/named.service.d
%else %else
for file in named; do for file in named; do
@ -422,7 +422,6 @@ done
# --------------------------------------------------------------------------- # ---------------------------------------------------------------------------
# remove useless Makefiles and Makefile skeletons # remove useless Makefiles and Makefile skeletons
find %{buildroot}/%{_defaultdocdir}/bind \( -name Makefile -o -name Makefile.in \) -exec rm {} + find %{buildroot}/%{_defaultdocdir}/bind \( -name Makefile -o -name Makefile.in \) -exec rm {} +
install -m 0644 bind.keys %{buildroot}%{_localstatedir}/lib/named/named.root.key
%if %{with_systemd} %if %{with_systemd}
mkdir -p %{buildroot}%{_sysusersdir} mkdir -p %{buildroot}%{_sysusersdir}
install -m 644 %{SOURCE72} %{buildroot}%{_sysusersdir}/ install -m 644 %{SOURCE72} %{buildroot}%{_sysusersdir}/
@ -532,7 +531,6 @@ fi
%config %{_var}/lib/named/root.hint %config %{_var}/lib/named/root.hint
%config %{_var}/lib/named/127.0.0.zone %config %{_var}/lib/named/127.0.0.zone
%config %{_var}/lib/named/localhost.zone %config %{_var}/lib/named/localhost.zone
%config %{_var}/lib/named/named.root.key
%dir %{_libexecdir}/bind %dir %{_libexecdir}/bind
%{_libexecdir}/bind/named.prep %{_libexecdir}/bind/named.prep
%dir %{_libdir}/bind-plugins %dir %{_libdir}/bind-plugins
@ -571,7 +569,6 @@ fi
%files utils %files utils
%dir %{_sysconfdir}/named.d %dir %{_sysconfdir}/named.d
%config(noreplace) %{_sysconfdir}/named.d/rndc-access.conf %config(noreplace) %{_sysconfdir}/named.d/rndc-access.conf
%config(noreplace) %{_sysconfdir}/bind.keys
%dir %{_sysconfdir}/openldap %dir %{_sysconfdir}/openldap
%dir %{_sysconfdir}/openldap/schema %dir %{_sysconfdir}/openldap/schema
%attr(0444,root,root) %config %{_sysconfdir}/openldap/schema/dnszone.schema %attr(0444,root,root) %config %{_sysconfdir}/openldap/schema/dnszone.schema
@ -594,20 +591,17 @@ fi
%{_bindir}/dnssec-verify %{_bindir}/dnssec-verify
%{_bindir}/dnssec-cds %{_bindir}/dnssec-cds
%{_bindir}/dnstap-read %{_bindir}/dnstap-read
%{_bindir}/dnssec-ksr
%{_sbindir}/ddns-confgen %{_sbindir}/ddns-confgen
%{_sbindir}/rndc %{_sbindir}/rndc
%{_sbindir}/rndc-confgen %{_sbindir}/rndc-confgen
%{_sbindir}/tsig-keygen %{_sbindir}/tsig-keygen
%{_libdir}/libbind9-%{version}.so
%{_libdir}/libdns-%{version}.so %{_libdir}/libdns-%{version}.so
%{_libdir}/libirs-%{version}.so
%{_libdir}/libisc-%{version}.so %{_libdir}/libisc-%{version}.so
%{_libdir}/libisccc-%{version}.so %{_libdir}/libisccc-%{version}.so
%{_libdir}/libisccfg-%{version}.so %{_libdir}/libisccfg-%{version}.so
%{_libdir}/libns-%{version}.so %{_libdir}/libns-%{version}.so
%{_libdir}/libbind9.so
%{_libdir}/libdns.so %{_libdir}/libdns.so
%{_libdir}/libirs.so
%{_libdir}/libisc.so %{_libdir}/libisc.so
%{_libdir}/libisccc.so %{_libdir}/libisccc.so
%{_libdir}/libisccfg.so %{_libdir}/libisccfg.so
@ -634,6 +628,7 @@ fi
%{_mandir}/man1/named-journalprint.1%{ext_man} %{_mandir}/man1/named-journalprint.1%{ext_man}
%{_mandir}/man1/nsec3hash.1%{ext_man} %{_mandir}/man1/nsec3hash.1%{ext_man}
%{_mandir}/man1/dnstap-read.1%{ext_man} %{_mandir}/man1/dnstap-read.1%{ext_man}
%{_mandir}/man1/dnssec-ksr.1.gz
%{_mandir}/man5/rndc.conf.5%{ext_man} %{_mandir}/man5/rndc.conf.5%{ext_man}
%{_mandir}/man8/ddns-confgen.8%{ext_man} %{_mandir}/man8/ddns-confgen.8%{ext_man}
%{_mandir}/man8/rndc.8%{ext_man} %{_mandir}/man8/rndc.8%{ext_man}

BIN
vendor-files.tar.bz2 (Stored with Git LFS)

Binary file not shown.